Microsoft Official Course
®

Module 3

Managing Active Directory Domain
Services Objects


Module Overview
• Managing User Accounts
• Managing Groups
• Managing Computer Accounts
• Delegating Administration


Lesson 1: Managing User Accounts
• AD DS Administration Tools
• Creating User Accounts
• Configuring User Account Attributes
• Creating User Profiles
• Demonstration: Managing User Accounts
• Demonstration: Using Templates to Manage User

Accounts


AD DS Administration Tools
To manage AD DS objects, you can use the
following graphical tools:
• Active Directory Administration snap-ins

• Active Directory Administrative Center
You can also use the following commandline tools:
• Active Directory module in Windows
PowerShell
• Directory Service commands

C:/


Creating User Accounts
The Account section of the Active Directory
Administrative Center Create User window


Configuring User Account Attributes
The Log on hours dialog box


Creating User Profiles

The Profile section of the User Properties
window


Demonstration: Managing User Accounts
In this demonstration, you will see how to:
• Use the Active Directory Administrative Center to

manage user accounts
• Delete a user account

• Create a new user account
• Move the user account
• View the WINDOWS POWERSHELL HISTORY
• Use Windows PowerShell to manage user accounts
• Find inactive user accounts
• Find disabled user accounts
• Delete disabled user accounts


Demonstration: Using Templates to Manage
User Accounts
In this demonstration, you will see how to:
• Create a user template account
• Use Windows PowerShell to create a user from the

user template
• Verify the properties of the new user account


Lesson 2: Managing Groups
• Group Types
• Group Scopes
• Implementing Group Management
• Default Groups
• Special Identities
• Demonstration: Managing Groups


Group Types
• Distribution groups

• Used only with email applications
• Not security-enabled (no SID);
cannot be given permissions
• Security groups
• Security principal with a SID;
can be given permissions
• Can also be email-enabled
Both security groups and distribution
groups can be converted to the other
type of group


Group Scopes
Members
Members from from domain
same domain
in same
forest

Members from
trusted
external
domain

Local

U, C,
GG, DLG, UG
and local users


U, C,
GG, UG

U, C,
GG

On the local
computer only

Domainlocal

U, C,
GG, DLG, UG

U, C,
GG, UG

U, C,
GG

Anywhere in the
domain

Universal

U, C,
GG, UG

U, C,
GG, UG


N/A

Anywhere in the
forest

Global

U, C,
GG

N/A

Anywhere in the
domain or a
trusted domain

Group
scope

U
C
GG

User
Computer
Global group

N/A


DLG
UG

Can be
assigned
permissions to
resources

Domain-local group
Universal group


Implementing Group Management
I Identities
Users or computers,
which are members of
G Global groups
Which collect members
based on members’ roles,
which are members of

Sales
(Global group)

DL Domain-local groups
Which provide management
such as resource access,
which are
A Assigned access to a resource


This best practice for nesting
groups is known as IGDLA.

Auditors
(Global group)

ACL_Sales_Read
(Domain-local group)


Implementing Group Management
I Identities
Users or computers,
which are members of


Implementing Group Management
I Identities
Users or computers,
which are members of
G Global groups
Which collect members
based on members’ roles,
which are members of

Sales
(Global group)

Auditors
(Global group)



Implementing Group Management
I Identities
Users or computers,
which are members of
G Global groups
Which collect members
based on members’ roles,
which are members of
DL Domain-local groups
Which provide management
such as resource access,
which are

Sales
(Global group)

Auditors
(Global group)

ACL_Sales_Read
(Domain-local group)


Implementing Group Management
I Identities
Users or computers,
which are members of
G Global groups

Which collect members
based on members’ roles,
which are members of
DL Domain-local groups
Which provide management
such as resource access,
which are
A Assigned access to a resource

Sales
(Global group)

Auditors
(Global group)

ACL_Sales_Read
(Domain-local group)


Implementing Group Management
I Identities
Users or computers,
which are members of
G Global groups
Which collect members
based on members’ roles,
which are members of
DL Domain-local groups
Which provide management
such as resource access,

which are
A Assigned access to a resource
This best practice for nesting
groups is known as IGDLA

Sales
(Global group)

Auditors
(Global group)

ACL_Sales_Read
(Domain-local group)


Default Groups
• Carefully manage the default groups that provide administrative

privileges, because these groups:
• Typically have broader privileges than are necessary for most
delegated environments
• Often apply protection to their members
Group

Location

Enterprise Admins

Users container of the forest root domain


Schema Admins

Users container of the forest root domain

Administrators

Built-in container of each domain

Domain Admins

Users container of each domain

Server Operators

Built-in container of each domain

Account Operators

Built-in container of each domain

Backup Operators

Built-in container of each domain

Print Operators

Built-in container of each domain

Cert Publishers


Users container of each domain


Special Identities
• Special identities:

Are groups for which membership is controlled by the
operating system
• Can be used by the Windows Server operating system to
provide access to resources:
•

•
•

Based on the type of authentication or connection
Not based on the user account

• Important special identities include:
• Anonymous Logon
• Interactive
• Authenticated Users
• Network
• Everyone
• Creator Owner


Demonstration: Managing Groups
In this demonstration, you will see how to:
• Create a new group

• Add members to the group
• Add a user to the group
• Change the group type and scope
• Modifying the group’s Managed By property


Lesson 3: Managing Computer Accounts
• What Is the Computers Container?
• Specifying the Location of Computer Accounts
• Controlling Permissions to Create Computer

Accounts
• Performing an Offline Domain Join
• Computer Accounts and Secure Channels
• Resetting the Secure Channel
• Bring Your Own Device


What Is the Computers Container?
Active Directory Administrative Center, opened to the
Adatum (local)\Computers container
Distinguished Name is cn=Computers,DC=Adatum,DC=com


Specifying the Location of Computer Accounts
• Best practice is to create OUs for

computer objects
Servers
• Typically subdivided by server role

• Client computers
• Typically subdivided by region
•

• Divide OUs:

By administration
• To facilitate configuration with Group
Policy
•


Controlling Permissions to Create Computer
Accounts
The Delegation of Control Wizard window
The administrator is creating a custom
delegation for computer objects